A crucial denial-of-service vulnerability has been found in Apache Struts 2, affecting a number of variations of the favored net utility framework.
The vulnerability, recognized as CVE-2025-64775, exploits a file leak in multipart request processing that may trigger disk exhaustion and server crashes.
Organizations working affected variations ought to prioritize patching instantly to stop potential service disruptions. The flaw exists in Apache Struts 2’s file add performance when enabled.
AttributeDetailsCVE IDCVE-2025-64775ImpactDenial-of-ServiceSeverityImportantFixed VersionsStruts 6.8.0+, Struts 7.1.1+Patch StatusBackward Appropriate
A file leak in multipart request processing causes disk exhaustion by permitting attackers to fill storage capability with out correct cleanup or useful resource administration.
This ends in a whole denial of service because the server turns into unable to course of legit requests when disk area is exhausted.
Safety researcher Nicolas Fournier found the vulnerability. This advisory is crucial for all Apache Struts 2 builders, system directors, and organizations deploying Struts-based purposes.
Any group with file add capabilities enabled ought to instantly assess its atmosphere and apply needed patches.
A number of variations throughout 4 main launch strains are impacted.
VersionsStatusRecommendationStruts 2.0.0 – 2.3.37EOL & VulnerableUpgrade immediatelyStruts 2.5.0 – 2.5.33EOL & VulnerableUpgrade immediatelyStruts 6.0.0 – 6.7.4VulnerableUpdate requiredStruts 7.0.0 – 7.0.3VulnerableUpdate required6.8.0+ or 7.1.1+SafeUse minimal really useful variations
Struts 2.0.0 by way of 2.3.37 are affected, although this model line reached end-of-life. Struts 2.5.0 by way of 2.5.33 are additionally susceptible however equally reached end-of-life standing.
Extra critically, Struts 6.0.0 by way of 6.7.4 and Struts 7.0.0 by way of 7.0.3 stay actively maintained and require rapid updates. Organizations ought to improve to Struts 6.8.0 or Struts 7.1.1 at a minimal.
The patches are backward suitable, guaranteeing easy transitions with out breaking present performance.
These unable to improve instantly can implement workarounds by configuring devoted short-term folders with restricted storage or by turning off file add help if it’s not required for operations.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
